Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the HTTP field set with ECS definitions as of beta 2 #9645

Merged
merged 5 commits into from
Dec 21, 2018
Merged

Update the HTTP field set with ECS definitions as of beta 2 #9645

merged 5 commits into from
Dec 21, 2018

Conversation

webmat
Copy link
Contributor

@webmat webmat commented Dec 18, 2018
edited
Loading

Caveat

  • We cannot alias the Packetbeat .body fields for this migration. This is a situation similar to Filebeat's source field.
  • http.request.method is not lowercased in this PR. This affects many Fb modules, Packetbeat, etc. I think it should be implemented via an index tokenizer, not by modifying _source

TODO

@webmat webmat requested a review from a team as a code owner December 18, 2018 21:15
@webmat webmat self-assigned this Dec 18, 2018
@webmat webmat added in progress Pull request is currently in progress. ecs labels Dec 18, 2018
@ruflin ruflin mentioned this pull request Dec 18, 2018
Closed
@webmat webmat mentioned this pull request Dec 18, 2018
Merged
8 tasks
@ruflin
Copy link
Member

ruflin commented Dec 19, 2018

Looks like this breaks some packetbeat tests?

@webmat
Copy link
Contributor Author

webmat commented Dec 19, 2018

@ruflin Yeah that's possible. I had problems running the test suite locally, so I decided to ask Jenkins and Travis for help. Hence the WIP / "in progress" ;-)

@webmat
Copy link
Contributor Author

webmat commented Dec 19, 2018

Error in question:

======================================================================
ERROR: Check that the http body is exported only for some http messages that have the
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/travis/gopath/src/github.com/elastic/beats/packetbeat/tests/system/test_0063_http_body.py", line 49, in test_include_body_for_both_request_response
    objs = self.read_output()
  File "/home/travis/gopath/src/github.com/elastic/beats/packetbeat/tests/system/packetbeat.py", line 122, in read_output
    self.all_fields_are_expected(jsons, self.expected_fields)
  File "/home/travis/gopath/src/github.com/elastic/beats/packetbeat/tests/system/../../../libbeat/tests/system/beat/beat.py", line 471, in all_fields_are_expected
    .format(key))
Exception: Unexpected key 'http.response.body' found

@webmat
Copy link
Contributor Author

webmat commented Dec 19, 2018

@andrewkroh ECS 1 Beta 2 introduced the http field set with the bodies nested a bit deeper: http.*.body.content instead of http.*.body. I've made the change in Packetbeat, and the tests are now passing. I'd like it if you could look at this, to make sure I haven't forgotten anything.

andrewkroh
andrewkroh reviewed Dec 20, 2018
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks like everything w.r.t to the Packetbeat code. I'm really hoping the test coverage for http is good in Packetbeat 🤞

I think there are some mentions in the documentation that also need updated. Like here.

@webmat webmat mentioned this pull request Dec 20, 2018
Merged
19 tasks
@webmat
Copy link
Contributor Author

webmat commented Dec 20, 2018

I've modified the documentation and added changelog entries in two places (Pb/breaking and All beats/Added).

I'd like to merge this as is. There's a few caveats listed in the body of this PR. One for awareness / discussion (can't alias Packetbeat's body changes), and one is for follow-up work.

@webmat webmat requested a review from ruflin December 20, 2018 20:42
@webmat webmat added review and removed in progress Pull request is currently in progress. labels Dec 20, 2018
This was referenced Dec 20, 2018
Closed
Merged
@webmat
Copy link
Contributor Author

webmat commented Dec 21, 2018

jenkins, test this

@webmat webmat mentioned this pull request Dec 21, 2018
Merged
3 tasks
ruflin
ruflin reviewed Dec 21, 2018
View reviewed changes
packetbeat/protos/http/http.go Outdated
@@ -629,7 +629,7 @@ func (http *httpPlugin) collectHeaders(m *message) interface{} {

func (http *httpPlugin) setBody(result common.MapStr, m *message) {
if m.sendBody && len(m.body) > 0 {
result["body"] = string(m.body)
result["body.content"] = string(m.body)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably better user here result.Put("body.content", string(m.body) so it creates the correct object.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Although the rest of this file use the square bracket notation to set fields. I'm not adjusting the rest of this file.

@webmat
Copy link
Contributor Author

webmat commented Dec 21, 2018

@ruflin One last look needed. My understanding is that these metricbeat failures are unrelated, correct?

https://beats-ci.elastic.co/job/elastic+beats+pull-request+multijob-linux/2877/testReport/

Once I merge this PR, the rebase conflicts that leave x-pack/auditbeat/include/fields.go broken will be a thing of the past.

@webmat
Copy link
Contributor Author

webmat commented Dec 21, 2018

Ok just confirmed metricbeat failure is unrelated. Just got fixed by #9749

@webmat webmat merged commit caf07a3 into elastic:master Dec 21, 2018
@webmat webmat deleted the ecs-http-update branch December 21, 2018 16:49
webmat pushed a commit to webmat/beats that referenced this pull request Dec 21, 2018
First pass at including all missing ECS Beta 2 changes...
1356f03 
- With the exception of http, captured in elastic#9645
- With the exception of os, which must be updated in a bunch of places
webmat added a commit that referenced this pull request Dec 21, 2018
@webmat
Import most ECS Beta 2 differences (#9738)
b168683 
This addresses most of the differences, with the exception of http (#9645) and os (PR coming)

Changes:

- `client/server`, `source/destination`
  - Update each field set's definition
  - Add the `.address` field (except for `source`, which already had it)
- `network`: update definitions and examples wrt lowercase directive
- `user_agent.original` index is now `keyword` indexed (See elastic/ecs#262)
- Update `ecs.version` example
@webmat webmat mentioned this pull request Dec 21, 2018
Merged
@ruflin
Copy link
Member

ruflin commented Dec 27, 2018

@webmat Nit: Could you adjust the title of the PR so if people come back to this PR it does not say WIP and it's merged ;-)

@ruflin
Copy link
Member

ruflin commented Dec 27, 2018

@webmat Should this also show up in the ecs migration yml file?

@webmat webmat changed the title WIP Update the HTTP field set with ECS definitions as of beta 2 Update the HTTP field set with ECS definitions as of beta 2 Jan 3, 2019
webmat pushed a commit to webmat/beats that referenced this pull request Jan 3, 2019
Add two migrated fields to ecs-migration from elastic#9645.
724f243 
Notes:

- Can't be aliased since `body` is moving to `body.content`.
- Currently only affects Packetbeat, so it's been listed only there,
even if these are ECS field defs.
- This will affect the ES Filebeat module logs as well. A note as been
added to elastic#9293, so it doesn't get forgotten.
@webmat
Copy link
Contributor Author

webmat commented Jan 3, 2019

@ruflin Yes, good point about ecs-migration. I've opened #9878

webmat added a commit that referenced this pull request Jan 7, 2019
@webmat
Add two migrated fields to ecs-migration.yml from #9645 + minor clean…
2d58140 
…up. (#9878)

Details:

* Add two migrated fields to ecs-migration from #9645. Can't be aliased since `.body` is moving to `.body.content`.
* Remove dupe headers for what's after the 'processors' section. Likely a rebase hiccup.
* Fix typo in processors entries: `form` => `from`.
* Move the processors heading above the docker processor section
DStape pushed a commit to DStape/beats that referenced this pull request Aug 20, 2019
@webmat
WIP Update the HTTP field set with ECS definitions as of beta 2 (elas…
ea749e1 
…tic#9645)

- Introduces fields for http size metrics
- HTTP body field is now nested deeper:
  - `http.request.body` moves to `http.request.body.content`
  - `http.response.body` moves to `http.response.body.content`
  - packetbeat has been adjusted accordingly
- Introduces missing field definition updates (mainly to lowercase `method`)
- Unrelated: delete `x-pack/auditbeat/include/fields.go` which should have been deleted in elastic#9724.
DStape pushed a commit to DStape/beats that referenced this pull request Aug 20, 2019
@webmat
Import most ECS Beta 2 differences (elastic#9738)
45b6807 
This addresses most of the differences, with the exception of http (elastic#9645) and os (PR coming)

Changes:

- `client/server`, `source/destination`
  - Update each field set's definition
  - Add the `.address` field (except for `source`, which already had it)
- `network`: update definitions and examples wrt lowercase directive
- `user_agent.original` index is now `keyword` indexed (See elastic/ecs#262)
- Update `ecs.version` example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@ruflin ruflin ruflin left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@webmat webmat

Labels
ecs review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@webmat @ruflin @andrewkroh @houndci-bot